setcap 破坏了 systemd 权限

setcap 破坏了 systemd 权限

将 SMART 插件实用程序添加到 collectd 版本 5.8

收到有关缺乏收集 I/O 数据的权限的警告:

Nov  9 13:27:40 db07 collectd[35127]: smart plugin: Running collectd as root, 
but the CAP_SYS_RAWIO capability is missing. The plugin's read function will 
probably fail. Is your init system dropping capabilities?

setcap 允许 collectd 使用此功能:

root@foo# setcap cap_sys_rawio=ep /usr/sbin/collectd

添加权限后,systemd 无法启动该进程:

Nov  9 13:27:26 db07 systemd[34172]: Failed at step EXEC spawning /usr/sbin/collectd: Operation not permitted
Nov  9 13:27:26 db07 systemd[1]: collectd.service: main process exited, code=exited, status=203/EXEC
Nov  9 13:27:26 db07 systemd[1]: Unit collectd.service entered failed state.
Nov  9 13:27:26 db07 systemd[1]: collectd.service failed.
Nov  9 13:27:27 db07 systemd[1]: collectd.service holdoff time over, scheduling restart.
Nov  9 13:27:27 db07 systemd[34174]: Failed at step EXEC spawning /usr/sbin/collectd: Operation not permitted

添加此标志后,什么原因阻止 systemd 执行?

编辑:根据建议添加 systemctl collectd.service 配置:

 [root@host ~]# systemctl cat collectd.service
 # /usr/lib/systemd/system/collectd.service
 [Unit]
 Description=Collectd statistics daemon
 Documentation=man:collectd(1) man:collectd.conf(5)
 After=local-fs.target network-online.target
 Requires=local-fs.target network-online.target

 [Service]
 ExecStart=/usr/sbin/collectd
 EnvironmentFile=-/etc/sysconfig/collectd
 EnvironmentFile=-/etc/default/collectd
 ProtectSystem=full
 ProtectHome=true

 # A few plugins won't work without some privileges, which you'll have to
 # specify using the CapabilityBoundingSet directive below.
 #
 # Here's a (incomplete) list of the plugins known capability requirements:
 #   ceph            CAP_DAC_OVERRIDE
 #   dns             CAP_NET_RAW
 #   exec            CAP_SETUID CAP_SETGID
 #   intel_rdt       CAP_SYS_RAWIO
 #   intel_pmu       CAP_SYS_ADMIN
 #   iptables        CAP_NET_ADMIN
 #   ping            CAP_NET_RAW
 #   smart           CAP_SYS_RAWIO
 #   turbostat       CAP_SYS_RAWIO
 #
 # Example, if you use the iptables plugin alongside the dns or ping plugin:
 #CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
 #
 # By default, drop all capabilities:
 CapabilityBoundingSet=

 # Tell systemd it will receive a notification from collectd over its control
 # socket once the daemon is ready. See systemd.service(5) for more details.
 Type=notify

 # Restart the collectd daemon when it fails.
 Restart=on-failure

 [Install]
 WantedBy=multi-user.target

 # /etc/systemd/system/collectd.service.d/override.conf
 CapabilityBoundingSet=CAP_SYS_RAWIO

答案1

尝试使用 systemd 添加该功能:

systemctl edit collectd

然后将以下行添加到服务部分:

CapabilityBoundingSet=CAP_SYS_RAWIO

相关内容